Medicament dispenser

ABSTRACT

A method of controlling the functioning of a portable medicament dispenser, said method comprising: (a) providing a memory for storing one or more parameters relating to the functioning of said dispenser; (b) storing authentication data for authenticating data for controlling a function of said dispenser; (c) receiving control data for said dispenser; (d) performing authentication of the control data using said stored authentication data; (e) in dependence on a result of the authentication, activating one or more parameters in said memory to control functioning of said dispenser in accordance with said control data.

This application is filed pursuant to 35 USC 371 as a United StatesNational Phase Application of International Patent Application SerialNo. PCT/GB02/01558 filed 2 Apr. 2002, which claims priority from GB0108228.8 filed on 02 Apr. 2001 in the United Kingdom.

The present invention relates to medicament dispensers for use in thedispensing of medicament, to medicament containers for use in same, andto systems and methods for the dispensing of medicament.

Lack of patient compliance with medical treatment regimens is known tobe a problem. According to the United States Food and DrugAdministration (FDA), between 30 and 50 percent of patients fail to usemedicines as prescribed, see “FDA Proposes Program to Give PatientsBetter Medication Information”. The main problems are known to be takingimproper dose, failing to take doses on time and ceasing treatmentprematurely. If this problem could be addressed, the quality of careoffered to patients could be improved considerably.

Medical dispensers are well known for the dispensing of various kinds ofmedicament. In their most simple form, they may comprise a container oftablets with a removable lid or blister packs of tablets. Inhalationdevices, such as metered dose inhalers (MDI) and dry powder inhalers areknown for the delivery of medicament for the treatment of respiratorydisorders. Syringes, including needleless syringes are also known forthe delivery of injectable medicament to a patient.

Reloadable medicament dispensers are known. These typically comprise ahousing defining a cavity and a medicament container, referred to hereinas a refill, which is reversibly receivable thereby. The housing and themedicament container may be sold separately or as a kit of parts.

Currently, medicament dispensers are primarily manually operable. Apatient actuates the dispenser in order to receive a dose of themedicament. If a variation in the basic dose, e.g. more than one dose,is required, the patient typically manually administers two doses. Itwould be desirable to provide a way in which the patient is relieved ofsole responsibility for the correct administration of doses ofmedicament, and more preferably the variation of such doses, within atreatment regimen.

Further desirable features relating to medicament dispensers includeease of use, portability and ease of manufacture.

PCT patent application no. WO92/17231 describes a metered dose inhalerhaving a microelectronic assembly thereon. The medicament containerincludes a set of electrically conducting strips which representinformation about the medicament container in digital form. The housingof the device includes electrical contact fingers which are contactablewith the strips to enable reading of the information to amicroelectronic memory on the housing. Read/write communication wouldnot be possible between the fingers and the reader and the significantadvantages of the present invention would therefore not be achievablewith this inhaler. Furthermore, contact between the strips on thecontainer and the electrical contact fingers is required which requiresphysical tailoring of the container to the housing, thereby limitingproduct design options. This document also describes an embodiment inwhich an active (i.e. powered) microelectronic element is attached tothe container.

PCT Patent Application No. WO 00/25720 describes a medication containerthat organises several vials or cassettes of different types ofmedication by securing the vials to a unitary lid. A machine readablememory strip is affixed to each vial. Each memory contains prescriptioninformation and medication implementation pertaining to the medicationin the vial. The unitary lid is equipped with sensors that read eachmemory strip and transmit the information to a processor in the lid. Theprocessor determines when each medication is to be taken and signals thepatient to take the appropriate medication from the appropriate vial atthe appropriate time. The automated lid also contains a receiver forobtaining updated medication dosing information based on currentlaboratory tests or physical observations of the physician regarding thepatient.

One problem with using an automated device which aids patient compliancewith medical treatment regimens is that, if the device is closely tiedto the dispensing system, the type of information and reminders that maybe provided includes that which is typically regarded as needing to begiven by a qualified expert, such as a physician or pharmacist.Assumption of responsibility for such tasks by an automated device leadsto the possibility of incorrect information being provided to a user,thereby exposing the user to potential risk, in the case of informationor reminders being given remote from a qualified expert. It is an objectof the present invention to overcome this drawback.

This problem is t some extent addressed by the system presented in U.S.Pat. No. 5,703,786, which is a centralised reminder system arranged todistribute reminder messages to respective dispensing systems inaccordance with a centrally held dispensing schedule. These remindermessages prompt the user to take his medication, whereupon the identityof the medicament to be taken (e.g. that inserted into the dispenserapparatus by the patient) is checked by the dispensing apparatus againsta stored identifier therefor. In the event that the check is successful,the apparatus dispenses the medication. Thus with this system, thereminder messages can be sent out by a non-expert, while the dispensingof drugs in response to receipt of such a reminder message will bedependent on verification of the identity of the refill inserted by thepatient. However, a problem with this system is that, for authenticationto take place at all, the medicament dispensing apparatus has to bemodified whenever there are any changes to the refill, e.g. to theformat of the identifier thereof.

In accordance with one aspect of the present invention, there isprovided a methods of controlling the functioning of a portablemedicament dispenser, said portable medicament dispenser being for usewith a refill container, said method comprising:

(a) providing a memory for storing one or more parameters relating tothe functioning of said dispenser;

(b) storing authentication data for authenticating data for controllinga function of said dispenser;

(c) receiving control data for said dispenser;

(d) performing authentication of the control data using said storedauthentication data;

(e) in dependence on a result of the authentication, activating one ormore parameters in said memory to control functioning of said dispenserin accordance with said control data,

characterised in that the step (d) of performing authentication of thecontrol data is performed by said refill container.

In accordance with a further aspect of the invention there is provided amethod of controlling the functioning of a portable medicamentdispenser, said portable medicament dispenser being for use with arefill container, said method comprising:

(a) providing a network node connected to a communications network, saidnode having access to a database for storing one or more parametersrelating to the functioning of said dispenser;

(b) generating control data for said dispenser using said one or moreparameters; and

(c) generating authentication data based on said control data to produceauthenticatable control data;

(d) arranging for said authenticatable control data to be transmitted tosaid dispenser, so as to allow said refill container to authenticate thegenerated control data.

By perfoming authentication of control data used for controlling thefunctioning of a portable medicament dispenser, and in dependence on theresult of the authentication, activating parameters in the memory tocontrol function of the dispenser, the functioning of the dispenser canbe maintained within the control of a qualified expert whilst allowingthe control data to be input into a dispenser without requiring thepresence of such an expert.

In one embodiment of the invention, the portable medicament dispenser isfor use with a node of a data communications network, and the controldata comprises control data received from said network node. In thiscase, a qualified expert, such as a physician, may update data, using asecure access procedure, on the network node, and then correspondingauthenticable control data may be delivered via a remote communicationslink.

Further features and advantages of the present invention will becomeapparent from the following description of preferred embodiments of theinvention.

Embodiments arranged in accordance with the invention will now bedescribed, by way of example only, with reference to the accompanyingdrawings in which:

FIG. 1 is a schematic illustration of a healthcare management system inaccordance with an embodiment of the invention;

FIG. 2 is a schematic illustration of patient apparatus in accordancewith an embodiment of the invention;

FIGS. 3 and 4 illustrate look-up tables used in embodiments of theinvention;

FIGS. 5 to 8 are flow diagrams illustrating procedures carried out inaccordance with embodiments of the invention; and

FIGS. 8 to 11 illustrate embodiments of patient apparatus in greaterdetail.

FIG. 1 illustrates a healthcare management system arranged in accordancewith an embodiment of the invention. The system includes a patienthealthcare management system A, a healthcare service provider datamanagement system B, a physician's data management system C, a pharmacydata management system D, and manufacturer data management system E.

Patient healthcare management system A includes a medicament dispenser 2which includes an outer housing which takes a refill 4, containingmedicament, which is inserted into a receiving inlet 5 of the dispenserand securely fastened therein. The refill 4 is removable therefrom oncethe refill is empty, or near to empty, to be replaced by a furtherrefill. The dispenser includes an alphanumeric display 28 for thedisplay of functional data and one or more man machine interfaceelements, for example buttons 30, for the control of the functions ofthe dispenser by the patient.

The dispenser 2 is adapted for insertion, in a drop-in fashion, into adocking station 6 for the transfer of data between the dispenser 2 and aservice provider network server 8, and for the recharging of a batteryand/or charge capacitors providing electrical power in the dispenser, inparticular its various functions to be described in further detailbelow. The docking station includes an electricity mains supply cable 9and, internally, a voltage transformer for the supply of power at arequired low voltage. In case of mains supply failure or unavailabilitythe docking station may further include a back-up battery, which may berechargeable or non-rechargable.

The docking station 6 also includes a communications module 10 forcommunicating with a corresponding communications module 12 on a networkinterface device 14. The network interface device 14 includes a networkinterface module 16 for access to a public data communications network18, such as the Internet. Both the docking station and the networkinterface device 14 may be located in a patient's home. Thecommunications modules 10, 12 preferably communicate via a radiointerface protocol, such as the Bluetooth™ radio protocol, therebyallowing the docking station 6 to be located at a selected point in thepatient's home, such as a bedroom or bathroom, remote from the networkinterface device 14. The network interface module 16 may comprise one ormore of a PSTN modem, a DSL modem, a cable modem, a wireless radionetwork modem. The network interface device may itself take the form ofan appropriately configured personal computer workstation, digitaltelevision set top box, home communications hub, etc.

FIG. 2 schematically illustrates the electronic components of themedicament dispenser 2, refill 4 and docking station 6 in greaterdetail.

The dispenser 2 includes a data processor, for example an integratedcircuit chip containing a microprocessor 100 and non-volatile memory, inthe form of for example ROM 108 and EEPROM 110. Some parts of the memoryare reserved for writing to during the manufacture of the dispenser andare, following manufacture, read-only or effectively read-only by virtueof being protected by a secret authentication code, preferably knownonly by the manufacturer. These read-only parts include a memoryportions storing one or more of a unique identifier for the dispenser, arandom or pseudo-random password related thereto, one or more type codesfor the one or more different types of medicament the dispenser isintended to be used with, a usage lifetime indicator in the form of anexpiry date and/or a prescribed maximum number of usages for thedispenser, manufacturing compliance check data and manufacturer details.Other parts are writable and are preferably protected, requiring apredetermined authentication step to have been performed before beingcapable of being written to, or rewritten. A first set of one or morerecords are intended to be written initially during dispensing of thedispenser, including one or more of a service provider identifier and/orservice provider network address, activation flag, details of aninitially prescribed treatment regimen, a version number thereof, andpatient name and other patient details. A second set of one or morerecords are intended to be written initially to by the docking station6, including records indicating a variation from the original treatmentregimen, a version number thereof, and a deactivation flag. A third setof one or more records are intended to be written initially to by thedispenser during use, including compliance monitoring data recordsindicating when medicament has been taken by the patient and what amountthereof. Some further parts of the memory, containing secret data and/oralgorithms, are not externally readable and only for internal use by themicroprocessor in performing authentication and encryption procedures.The dispenser 2 comprises external electrical contacts 20, correspondingto contacts in the docking station, for writing data to and reading datafrom the dispenser, and for charging the battery and/or capacitors ofthe dispenser.

The refill 4 includes a data processor, for example an integratedcircuit chip containing a microprocessor 116 and non-volatile memory, inthe form of for example ROM 118 and EEPROM 120. Some parts of the memoryare reserved for writing to during the manufacture of the refill andare, following manufacture, read-only or effectively read-only by virtueof being protected by a secret authentication code, preferably knownonly by the manufacturer. These read-only parts include one or morememory portions storing one or more of a unique identifier for therefill, a type code for the stored medicament, a medicament name, anexpiry date, an original dosage amount, manufacturing compliance checkdata and manufacturer details. Other parts are writable and arepreferably protected, requiring a predetermined authentication step tohave been performed before being capable of being written to, orrewritten. A first set of one or more records are intended to be writteninitially during dispensing of the refill, including one or more of anactivation flag, details of a prescribed treatment regimen, a versionnumber thereof, and patient name and other patient details. A second setof one or more records are intended to be written initially to by themedicament dispenser, including one or more records indicating a currentdosage amount remaining. Some further parts of the memory, containingsecret data and/or algorithms, are not externally readable and only forinternal use by the microprocessor in performing authenticationprocedures. The refill 4 comprises external electrical contacts 22,corresponding to contacts in the dispenser 2, for writing data to andreading data from the refill.

The docking station 6 includes a data processor in the form of forexample an integrated circuit chip containing a microprocessor 122 andnon-volatile memory, in the form of for example ROM 128 and EEPROM 130.Some parts of the memory are reserved for writing to during themanufacture of the docking station and are, following manufacture,read-only or effectively read-only by virtue of being protected by asecret authentication code, preferably known only by the manufacturer.These read-only parts include one or more memory portions storing one ormore of a unique identifier for the docking station, manufacturingcompliance check data and manufacturer details. Other parts aresubsequently writable. A first set of one or more records are intendedto be written to from the dispenser when the dispenser 2 is docked withthe docking station, including a medicament name, a current remainingdosage amount, details of a current treatment regimen and patient nameand other patient details. These first records contain data to bedisplayed on a screen 24. Screen 24 is larger than display 28, and iscapable of displaying bitmap images, for example logos, still and videopictures, etc, as well as alphanumeric text, responsive to userinteraction via an MMI such as buttons 26. A second set of one or morerecords are intended to store message data received from serviceprovider network server 8, including one or more records for storingdata for messages to be shown on screen 24. A third set of one or morerecords are for storing control messages to be transmitted to dispenser2, such as control messages for performing authentication and controlmessages indicating a variation in treatment regiment, indicating acurrent dosage amount remaining. A fourth set of records are for storingdata for transmission to network server 8, including compliancemonitoring data received from dispenser 2, and self-test health checkdata, and self-test health status data records, containing data such aspeak flow rate data in the case of a respiratory inhaler or bloodglucose level data in the case of an insulin dispenser, which isrecorded by a sensor 132 in, or associated with, the docking station. Inan alternative, the self-test health check data may be replaced bypatient self-assessment data, wherein the patient inputs, via MMI 26, aself-assessed health condition indicator, for example a figure from 1 to10, indicative of how the patient feels. The patient may also append thedata with text to record additional data relating to their state ofhealth. The self-test health check data, condition indicator data andother data are automatically date stamped for subsequent analysis bynetwork server 8 and presentation, for example via a patient-specificWeb site page, via charts and other assessment tools.

Dispenser display 28, for example an LCD screen, is for displayinginformation to the patient including the name of the medicamentcontained in an inserted refill, a current dose remaining, a currenttime, etc. Reminder messages may also be displayed thereon to indicatewhen a dose of medicament is due to be taken, in accordance with thecurrent treatment regimen. Such a reminder message may accompanied by atimed alarm indication, given for example by an audible (e.g. tone),kinematic (e.g. vibration) and/or visual (e.g. LED) signal generator.Patients may control display menu and functions by means of a userinterface, such as buttons 30. When administering medicine, patientopens outlet 32 and presses a button 30 to initiate the dispensing of adose, or multiple doses, of medicament. The amount dispensed iscontrolled by dispenser 2 in accordance with a current treatment regimenstored in the memory of the dispenser 2 and/or the refill 4, along withthe current date/time and/or stage of treatment.

Dispenser 2 further comprises a dispensing actuator 102, for theautomated dispensing of a dose, or multiple doses of medicament. In oneembodiment, the medicament is held in refill 4 in powder, liquid and/orgaseous form and a dispensing actuator is adapted to meter out arequired dose from refill 4. In another embodiment, refill 4 containsmedicament in the form of elements containing discrete amounts ofmedicament, for example tablets, capsules, powder compartments, etc. anddispensing actuator is adapted to automatically dispense one or morediscrete doses of medicament. Dispensing may be initiated by thepatient, for example by means of MMI 30. Dispenser 2 further comprisesdispensing sensor 104, for sensing the act of dispensing and recording,as monitoring data, the amount, time and date when dispensing occurs.Clock 106 is used for time monitoring and recordal in the dispenserelectronic system.

Data interface 22, consisting of two sets of corresponding electricalcontacts, is used for the transfer of data between the refill 4 and thedispenser 2. In an alternative embodiment, the interface consists of acontactless radio interface between a passive tag in the refill and anactive reader in the dispenser. Data interface 114, consisting of twosets of corresponding electrical contacts, is used for the transfer ofdata between the docking station 6 and the dispenser 2. In analternative embodiment, the interface consists of a contactless radiointerface, for example a Bluetooth™ radio interface which is operablewhen dispenser is placed in the proximity of the docking station 6.Power interface 114 consists of two sets of corresponding electricalcontacts for the transfer of electrical power between docking stationpower transformer 134, supplied by mains power source connection 9, andrechargeable battery 112 in the dispenser 2, which acts as a powersource for all electronic components in the dispenser 2 and the refill4. Transformer 134 acts as a power source for all electronic componentsin the docking station 6. Docking station 6 may also include arechargeable back-up battery in case of mains power failure.

Docking station 6 includes a data processing system including amicroprocessor 122, non-volatile memory in the form of ROM 128 andEEPROM 130, display 24, man machine interface elements 26, radiointerface module 10, including radio antenna 126, a mains power sourceconnection 9, and self-test module 132. Self-test module 132 includes apatient health sensor, such as a blood glucose level sensor, peak flowsensor, etc, and may be detachably connectable to the docking station.In an alternative embodiment, self-test module 132 is included indispenser 2, or may be detachably connectable to the dispenser 2.

Service provider network server 8 is connected to patient recorddatabase 34, which stores long-term patient health records to be used bythe health system for the treatment of patients under its care. Theserecords store historical patient health and treatment data, includingprescription data, treatment regimen compliance data, and health checkstatus data. Service provider network server includes analysis andreporting functions for operating on data contained in the patienthealth records and for transmitting messages and reports to otherhealthcare management systems including patient healthcare managementsystems, physicians' data management systems and pharmacy datamanagement systems.

Manufacturer data management system E includes a manufacturing systemserver 36, a data writing terminal 38 for writing data to a dispenser 40during manufacture, and a data writing terminal 40 for writing data torefill 4 during manufacture.

During manufacture, the dispenser memory 108, 110 is written to containpermanent data in the form of one or more of a unique identifier for thedispenser, a random or pseudo-random password, one or more type codesfor the one or more different types of medicament the dispenser isintended to be used with, a usage lifetime indicator in the form of anexpiry date and/or a maximum number of usages for the dispenser, ageographical region name and/or code, manufacturing compliance checkdata and manufacturer details. The dispenser memory is also written towith secret data and/or algorithms, which are not externally readableand only for internal use by the dispenser microprocessor in performingauthentication and encryption procedures. This secret data includes asecret authentication key, which may be of a shared secret type of aprivate key of a public/private key combination. The data may alsoinclude a public key for one or more service providers, or a trustedthird party providing service provider public key details, toauthenticate and/or decrypt control messages received from serviceprovider network server 8, which are encrypted and/or digitally signedby the server 8 using its private key and/or the appropriate sharedsecret key before transmission. The data may also include a public keyfor one or more manufacturers, or a trusted third party providingmanufacturer public key details, to authenticate and/or decrypt datareceived from refill 4, which are encrypted and/or digitally signed bythe manufacturer or on the refill before transmission. Followingmanufacture, the data written to the dispenser memory, including inparticular the unique identifier and the corresponding password and/orshared secret key and/or public key, are transmitted in a secure fashionto service provider network server 8 and stored therein awaitingdispensing of the dispenser 2 to occur. The dispensers are batched anddistributed in batches to pharmacies for subsequent dispensing topatients.

During manufacture, the refill memory 118, 120 is written to containpermanent data in the form of one or more of a unique identifier for therefill, a type code for the stored medicament, a medicament name, anexpiry date, an original dosage amount, a geographical region nameand/or code, manufacturing compliance check data and manufacturerdetails. The permanent data also includes a digital signature, generatedby manufacturer using a secret authenticating key, of the uniqueidentifier and/or other data, which is added to the refill memory. Therefill memory may also be written to with secret data and/or algorithms,which are not externally readable and only for internal use by therefill microprocessor in performing authentication procedures. Thissecret data may include a secret authentication key, which may be of ashared secret type of a private key of a public/private key combination.The data may also, or alternatively, include a public key for theservice provider, to authenticate and/or decrypt control messagesreceived from service provider network server 8, which are encryptedand/or digitally signed by the server 8 using its private key and/or theappropriate shared secret key before transmission. Followingmanufacture, the data written to the refill memory, including inparticular the unique identifier and the corresponding digitalsignature, shared secret key and/or public key, are transmitted in asecure fashion to service provider network server 8 and stored thereinawaiting dispensing of the refill 4 to occur. The refills are batchedand distributed in batches to pharmacies for subsequent dispensing topatients.

Patient system A also contains a smart card 42 for identifying thepatient and storing patient healthcare details, which preferably arereplicated in patient record database 34, including general health data,prescription data, allergy data, etc. Smart card 42 includes electricalcontacts 43 whereby a smart card reader/writer accesses data recordsheld on the smart card.

Physician data management system C includes a workstation personalcomputer 44, a smart card reader/writer 46 and a dispenser reader/writer48. The dispenser reader/writer 48 may be a docking station similar tothe patient docking station 6. On visiting a physician, a patientpreferably carries their smart card 42. The smart card is inserted inreader/writer 46 to allow the physician to access patient data heldthereon and/or patient data held in patient record database 34. The datais accessed via workstation 44. Each physician has a personal usernameand password providing the physician with authority to access such data,which details are verified by network server 8 before such access isgranted. Following consultation, the physician may issue a digitalprescription, which is written to smart card 42 and/or patient recorddatabase 34.

Pharmacy data management system D includes a server 50, a workstationpersonal computer 52, a dispenser reader/writer 54, a refillreader/writer 56 and a smart card reader/writer 58. The dispenserreader/writer 54 may be a docking station similar to the patient dockingstation 6.

When a patient visits the pharmacy to obtain supplies, the patientcarries their smart card 42, which is inserted in smart card reader 58in order to identify the patient and the corresponding prescription. Thepatient data is accessed via workstation 52. Each pharmacist has apersonal username and password providing the pharmacist with authorityto access such data, which details are verified by network server 8before such access is granted. The patient identity is transmitted tonetwork server 8 in order to access and/or the prescription data. Thepatient's data record indicates whether the patient currently holds adispenser appropriate for the prescribed medicament. If not, as in thecase of a newly diagnosed patient, the network server instructspharmacist system to dispense a new dispenser 2.

In order to dispense a new dispenser 2, the pharmacist retrieves theappropriate dispenser from the pharmacy stores and inserts the dispenserinto dispenser reader/writer 54. The reader/writer 54 reads thedispenser's unique identity and transmits same to network server 8. FIG.3 shows a look-up table held database in 34, associating each uniquedispenser ID, and the associated data fields, corresponding to theoriginal data held in the dispenser memory, provided by manufacturer(illustrated as Field #1 etc.) with a patient ID following dispensingthereof. The reader/writer is then used to write data received fromnetwork server 8, containing one or more of a service provideridentifier and/or service provider network address, activation message,details of an initially prescribed treatment regimen, a version numberthereof, patient ID and name and other patient details, and ageographical region code, to the dispenser memory. The written data ispreferably encrypted and/or signed by the network server 8, therebyindicating to the dispenser that a pharmacist having the necessaryauthority is performing the dispensing operation. Once activated, thedispenser 2 is ready for use with an appropriate refill 4.

In order to dispense a new refill 4, the pharmacist retrieves theappropriate refill from the pharmacy stores and inserts the dispenserinto dispenser reader/writer 54. The reader/writer 54 reads the refill'sunique identity and transmits same to network server 8. FIG. 2 shows alook-up table held database in 34, associating each unique refill ID,and the associated data fields, corresponding to those originally heldin the refill memory, provided by manufacturer (illustrated as Field #1etc.) with a patient ID following dispensing thereof. The reader/writeris then used to write data provided by network server 8, containing oneor more of an activation message, details of a prescribed treatmentregimen, a version number thereof, and patient ID, name and otherpatient details, and a geographical region code, to the refill memory.The written data is preferably encrypted and/or signed by the networkserver 8, thereby indicating to the refill that a pharmacist having thenecessary authority is performing the dispensing operation. Onceactivated, the refill 4 is ready for use with an appropriate dispenser2.

In one embodiment, the pharmacy procedures include reading the datastored on the dispenser and/or refill prior to dispensing, and modifyingthe dispensing operation accordingly, either in the pharmacy systemalone or in combination with the network server system. For example, thepharmacy may be prevented from dispensing a device having a geographicalregion name and/or code which does not correspond for refills anddispensers, or if the location of the pharmacy does not correspondtherewith.

The look-up tables shown in FIGS. 3 and 4 are used for the correctidentification of a patient by means of the corresponding dispenserand/or refill ID's. When data is transferred from a dispenser 2 and/or arefill 4 to network server 8, the data includes the device ID and/or therefill ID. Thereby, the patient is identified without requiring thepatient to input username and/or password details each time data is sentto the network server 8. Furthermore, the associated authenticationprocedures may be performed by means of the devices themselves, ratherthan the patient having to identify and carry out authentication eachtime sensitive data is transferred. The corresponding sharedauthentication data, such as shared secret keys, held on both thedevices and in the device-related parameter fields illustrated in FIGS.3 and 4, may be uniquely correlated by means of the look-up tables tothe identity of the patient to whom the device was prescribed. In analternative embodiment, the unique patient ID is written at thepharmacist onto the dispenser and/or refill during dispensing, and thepatient ID is sent with any data sent from dispenser to network server8. However, in this case a device ID, which may be unique amongst alldevices, or unique only in combination with the patient ID, ispreferably also sent to allow the identification of the device currentlybeing used by the patient at the network server 8. In any case, the datatransmitted to network server 8 contains a unique identity, preferablydevice ED, whereby the corresponding patient record may be accessed.

FIG. 5 is a flow diagram illustrating procedures carried out in thedispenser 2 on insertion of a refill 4. On insertion of thepharmacy-dispensed refill 4 into the pharmacy-dispensed dispenser 2, thedispenser reads all available data held in refill memory, step 200. Thedispenser then checks that no conflicts exist between the data read andthat stored in its memory, steps 202 and 204, including ensuring thatthe refill has a matching patient ID, acceptable medicament type code,acceptable geographical region code, etc. Furthermore, dispenser 2checks that the any digital signature accompanying the parameter dataheld in refill is correct. This check is carried out, in one embodiment,by reading the appropriate signature and decrypting it with the publickey of the network server 8 to ensure that it corresponds with theoriginal data, for example the unique identity of the refill 4, to whichthe signature is attached. In other embodiments, other cryptographicmethods are used to check the authenticity of the refill by means ofpublic/private key or shared secret key encryption/decryption methods.If a conflict is found, a conflict indicator signal is generated. If noconflict is found, the dispenser checks if there are any updates to bereceived from the refill. For example, the refill may contain a morerecent treatment regimen, which may be detected by means of a laterversion number. If an update is detected, it is first authenticated, bychecking the accompanying digital signature, before updating theappropriate parameters in its memory. If the update authenticationfails, a conflict indicator signal is generated. Otherwise, followingany update, the dispenser 2 begins a normal treatment regimen inaccordance with data held on the dispenser and/or the refill 4. If aconflict indicator signal is generated, the dispenser display 28 isactivated to show an appropriate error message, for example “Refill notauthorised: see pharmacist”, step 206. The dispenser 2 also inhibits anyreminder programme which would otherwise have been followed, step 208.On generation of the conflict indicator signal, the dispenser may, inone embodiment, write a deactivation flag in the dispenser or refillmemory to prevent the refill and/or the dispenser being used, at leastuntil the conflict is resolved by means of an update message receivedfrom server 8. Alternatively, the dispenser may still be used in manualoverride mode to dispense medicament from the refill, even though thedata management functions are not made available. Further alternatively,the dispenser may continue to operate normally but store the conflictdata to transmit same to network server 8 when the dispenser is nextdocked. The action taken by dispenser may depend upon the nature of theconflict found. For example, if the refill contains the wrong type ofmedicine, the refill may be fully deactivated. On the other hand, if therefill was dispensed to a different patient, but contains the correcttype of medicament, the dispenser may be used as normal, with theconflict data being sent to network server 8 to be written to thepatient record in order that a healthcare professional, such as thephysician or pharmacist, may be made aware of the conflict when thepatient record is next accessed.

The dispenser then senses whether a docking connection is made todocking port 6, for example by means of a data read signal beingreceived from docking port 6, at which point an message indicating thedetected conflict is sent, via docking station 6, to network server 8,steps 210 and 212. Network server 8 may used the conflict data formonitoring purposes, and inform the appropriate healthcare professionalas and when required of the detected conflict. For example, when patientnext visits a pharmacist, the pharmacist will be able to access, via thepatient record, the conflict data and indicated the nature of theproblem to the patient. If the conflict is an internal conflict causedby an error in the network server system 8, the conflict may be resolvedand updates may be sent to all other affected dispensers to avoid theconflict occurring unnecessarily elsewhere. Preferably, the dispensermay still be used in manual override mode to dispense medicament fromthe refill, even thought the data management functions are not madeavailable.

In any case, when a conflict is found, conflict data indicating thecause of the conflict, e.g. both the data derived from the refill andthe corresponding, incompatible, data held on dispenser, is transmittedto network server 8. Network server 8 analyses the nature of theconflict and can take remedial action, such as writing correspondingdata to patient record for perusal by a healthcare professional havingaccess to the system, transmitting informational messages to the patientvia the patient docking station, and/or transmitting update messages tothe dispenser via the docking stations to resolve the conflict byupdating one or more fields of the dispenser memory as appropriate.

If no conflict is found, the unique identity of the refill and/or otherdetails held on the refill are written to a record in the dispensermemory for transfer, via docking station 6, to the network server 8 whenthe dispenser is next docked. Such data, derived from the refill, isthen stored in the appropriate patient record by the network server 8,to provide a medication history, including details of the refillcontainer used, for the patient. Furthermore, in an alternativeembodiment, any conflict checks are carried out by network server. Inthis embodiment, the current refill ID and device ID are preferablytransmitted to network server 8, and the corresponding parameter data,held in the lookup tables illustrated in FIGS. 3 and 4, is analysed bynetwork server 8 to determine whether a conflict exists. Alternatively,one or more of the other parameter data items held in the dispensermemory and/or the refill memory may be transmitted to network server 8.If a conflict is found, network server 8 analyses the nature of theconflict and can take remedial action, such as writing correspondingdata to patient record for perusal by a healthcare professional havingaccess to the system, transmitting informational messages to the patientvia the patient docking station, and/or transmitting update messages tothe dispenser via the docking stations to alter the functioning of thedispenser, to disable the dispenser until a new refill has beeninserted, and/or to resolve the conflict by updating one or more of thepreviously incompatible fields of the dispenser memory as appropriate.

FIG. 6 illustrates a treatment procedure followed by dispenser 2 whenloaded with a correct refill 4. The dispenser holds treatment regimendata from which it is determined when a medicament dose is due to betaken by the patient, step 300. A period is defined when the dose isdefined to be correctly taken, by means of a start date/time and anend/date time, which may be defined relative to a last taken medicationor in accordance with an absolute timing policy. If the patientactivates the dispenser prior to the start date/time, step 302, thedispenser acts in accordance with an early dispensing procedure, step304, which is different to the normal dispensing procedure. This may beto at least initially inhibit dispensing and display a message to thepatient indicating that it is too early to take another dose. An optionmay at this stage be given to allow the patient to confirm that a doseis required, in response to which the dispenser conducts dispensing asrequired. Alternatively, dispenser may initially dispense the dose atthe requested time, and update the subsequent reminder schedule tocancel the upcoming reminder and bring forward the subsequent reminders.

When a dosing reminder is due, the dispenser 2 emits a dosing remindersignal, step 306. The signal may be an audio, visual and/or kinematicsignal, and may vary over time depending on whether dosing is carriedout by the patient, for example to increase in intensity over time. Whenpatient actuates the dispenser to dispense a dose of medicament, step310, the dispenser determines whether the dispensing operation is laterthan the predefined end date/time for the normal dosing period, step310. If so, a late dispensing procedure, different to a normaldispensing procedure, is carried out, step 318. This may consist ofindicating to the patient that the dose is being taken late andadjusting the subsequent reminder schedule accordingly, to delaysubsequent reminders in accordance with the delay. If within the normaldosing period, the normal dosage data is accessed, step 312, and theappropriate dosage is dispensed, step 314. Following all dispensingprocedures, although only shown in relation to normal dispensingprocedure, the monitoring data held in dispenser, subsequently to besent to network server 8, is updated to store details of the latestdispensing event, including date/time, amount dispensed, and any otherpertinent data such as patient health data (e.g. peak flow rate)detected during the dispensing operation.

FIG. 7 illustrates a procedure carried out by docking station 6 when adispenser is docked therein. Note that in this preferred embodiment, thedocking station 6 may be used with multiple different dispensers,including multiple dispensers owned by the same patient and/or multipledispensers owned by different patients.

On receiving a dispenser 2, the docking station 6 first reads thepatient name and medicament name, along with other pertinent data suchas number of doses remaining, etc., and displays these details to thepatient, steps 400, 402, via display 24. The patient may scroll throughthe relevant data held on dispenser by means of an MMI interaction.Next, the docking station reads other stored data from the dispenser,including the dispenser identity, the refill identity, any conflict dataresulting from a conflict check conducted by dispenser 2, and dispensingmonitoring data stored when the patient has dispensed medication fromthe dispenser 2. This stored data may be provided by the dispenser inencrypted form, for example encrypted using its stored secret key, fortransmission by the docking station in encrypted form, step 406, anddecryption by the network server 8 with reference to the correspondingdecryption key held in the details held for the identified dispenser.Furthermore, authentication data, in the form of a digital signatureproduced by the dispenser 2 and/or the refill 4, may also be transmittedfor checking by network server. The docking station may form a suitabledata connection, for example a TCP/IP socket connection, to the networkserver 8.The connection between the docking station 6 and the networkserver 8 may in any case be arranged to be secure, for example viasecure socket layer (SSL) interactions. The data sent by docking stationis analysed at the network server 8 and one or more response messagesare generated and sent to be received by docking station, step 408.These messages may be structured as extensible markup language (XML)documents. The responses preferably comprise data to be displayed touser via the display screen 24 of the docking station, and update datato be passed by docking station. Docking station 6 parses the responsedata, step 410, displays the display content, step 412, and transmitsany update messages to the dispenser 2, step 414. The update messagesare preferably encrypted by network server 8 using the correspondingencryption key, for example the dispenser's shared secret key or thepublic key of the dispenser, and/or contain a further authenticationelement, such as a digital signature authenticating the data as havingbeen generated by, or with the authority of network server 8.

FIG. 8 illustrates steps taken by dispenser 8 on receipt of an updatemessage via docking station 6, step 500. Initially, the dispenser 2conducts decryption of the data using a secret key stored in thedispenser memory, step 502. Next, the dispenser checks the accompanyingdigital signature, step 502. If either of these steps fails, the updatemessage cannot be authenticated, step 506 by dispenser 2 and an errormessage is displayed, step 510. An error message may also be sent tonetwork server 8, to allow a further, corrected, update to be sent. Ifthe update is authenticated by the dispenser, step 506, thecorresponding data fields are updated in the dispenser memory and/or therefill memory, step 508. It is to be noted that any one or more of thewritable fields of the dispenser and/or the refill, such as any of thosepreviously mentioned, may be updated in this way.

If the dispenser 2 and/or the refill 4 fails to authenticate to networkserver 8, the network server can send an appropriate message to thedocking station, such as “Authentication failed: please visit pharmacy”.

In a subsequent physician visit, if the patient has brought theirdispenser 2, and the dispenser is inserted into reader/writer 48 inorder for the most recent compliance and health status data to bedownloaded to network server 8. The dispenser's unique identity istransmitted to network server 8, along with authentication data in theform of the corresponding password and/or, if stronger authentication isrequired, an encrypted response to a challenge message sent by theserver 8, which response is verified by server 8 in order to validatethe dispenser identity. The corresponding patient identity is looked upby network server in order to access the correct patient record.

Not only does physician have access to patient data, but also theanalysis and reporting functions provided by network server 8 followingthe period of patient compliance and health monitoring provided bydispenser 2. Following consultation with the network server functionsand the patient, the physician may vary the treatment regimen, by inputto workstation 44 which results in an update procedure whereby networkserver 8 transmits data to be written to the dispenser by reader/writer48. The transmitted data is encrypted and/or digitally signed by thenetwork server, using the appropriate secret and/or private key for thedispenser 2. On receipt, the dispenser decrypts and/or authenticates thecontrol data and, if authentication is successful, updates its recordsaccordingly. The physician may also prescribe more or a new medicament,in which case a digital prescription is written to smart card 42 and/orto patient record database 46.

If on docking with docking station 6, either the docking station or thenetwork server 8 establishes that the patient is due for anotherprescription, a message may be displayed to the patient inquiringwhether a further prescription should be ordered. If the patient repliesin the affirmative, a represcription order placed in the patient record,or is transmitted to a selected pharmacist, and the patient may pick upthe appropriate refill by presenting at the pharmacist with theirpatient smart card 42.

The network server-based system also monitors the lifetimes ofdispensers and/or refills. Namely, associated with each of thedispensers and refills, by means of parameter data held against thedevice identity in the look-up tables illustrated in FIG. 4, is anexpiry date for the device, and when the device is due to expire, asuitable message may be sent to docking station instructing the patientto order the prescription of a new device. On expiry an update messagemay be sent to the dispenser via the docking station to disabledispensing. The lifetime of the dispenser may be based solely on anexpiry date, a usage amount (e.g. maximum number of allowed uses), orboth. In any case, such monitoring and messaging is useful in order toinhibit the at least inconvenient failure of any of the devices used bythe patient.

In the above-described embodiments, the patient is identified primarilyby means of the dispenser and/or the refill which they have beendispensed by a registered pharmacist. Additional identity checks may becarried out by the system. For example, the dispenser 2 or the dockingstation 6 may include a Biometric sensor such as a fingerprint sensorfor positively identifying the patient before any actions based upon thepatient identity are carried out.

In different embodiments of the invention, the dispenser is typicallyshaped to define a cavity within which the refill is receivable. Thedispenser and/or refill may be further shaped with grooves, indentationsor other shaping or surface details to define a slidinglylockable/releasable relationship between the dispenser and the refill.Accordingly, the dispenser may have a lockable cover which is releasableto expose the cavity within which the refill is held.

FIGS. 9 a and 9 b show a metered dose inhaler comprising a dispenser inthe form of a tubular actuator housing 601 shaped for receipt of anaerosol refill 602. The actuator housing is open at one end and isclosed at the other. An outlet 603 leads laterally from the closed endof the housing 601. In the embodiment illustrated, the outlet 603 is inthe form of a mouthpiece intended for insertion into the mouth of thepatient but it may, if desired, be designed as a nozzle for insertioninto the patient's nostril. The aerosol refill 2 has an outlet valve 604at one end. This valve acts as a release means for release of a measureddose from the aerosol refill. The release means is actuable by inwardmovement of the valve 4 relative to the aerosol refill 602.

The metered dose inhaler of FIGS. 9 a and 9 b includes an electronicdata management system 610, including all electronic components andelectrical connections, and is adapted for docking with a correspondingdocking station, as described above in detail, comprised within anextended part 606 of the housing 6. A visual display (not visible)allows for display of information from the electronic data managementsystem 610 to the patient. The electronic data management systemconnects to a sensor (not visible) for sensing the breathing pattern ofthe patient and an actuator (not visible) for actuating the release ofaerosol from the refill 2.

A data module in the form of a chip 620 is mounted on the side of theaerosol refill 602. Corresponding read/write contacts 630 for the chip620 are moulded into the internal surface of the dispenser housing 601.In an alternative embodiment the data module 620 comprises aradiofrequency identification tag and the read/write module 630 iscapable of reading data therefrom and writing data thereto by the use ofinterrogating radiofrequency energy. In another embodiment the datamodule 620 comprises a magnetic label and the read/write module 30 iscapable of reading data therefrom and writing data thereto by the use ofinterrogating magnetic field energy.

FIG. 10 shows a schematic representation of a breath-operable medicamentdispensing system, which is an embodiment of the system shown in FIGS. 9a and 9 b. The system comprises a metered dose inhaler similar to thatshown in FIGS. 9 a and 9 b, comprising tubular housing 710 having adispensing outlet 712 in the form of a mouthpiece. Within the housing710 sits aerosol refill 720 which has a valve dispensing mechanism 722in the form of a slide valve. Valve stem 724 is supported by valvesupport 714. Outlet passage 716 is provided in the support 714 to enablepassage of dispensed dose to the dispensing outlet 712.

It may be seen that the upper part of the aerosol refill 720 abutsrefill seat 730. The refill seat 730 comprises an insulating portion 732which directly contacts the aerosol refill 720 and an upper conductingportion 734 (e.g. comprised of aluminium). It may also be seen that thevalve support 774 connects with conducting valve seat 740. Plural shapememory alloy wires 750 a, 750 b connect the conducting portion 734 ofthe refill seat 730 to the conducting valve seat 740. The plural wires750 a, 750 b comprise a nickel-titanium alloy which contracts inresponse to electrical current flow therethrough. It may thus, beappreciated that on passage of electrical current through the pluralwires 750 a, 750 b the refill seat 730 and valve seat 740 will be drawntowards each other as the wires 750 a, 750 b contract. Actuation of thevalve dispensing mechanism 722 and dispensing of medicament dose willthereby result.

Control of electrical current flow to the refill seat 730, valve seat740 and wires 750 a, 750 b is achievable using the illustratedcircuitry. Refill seat 730 and valve seat 740 connect to actuationcircuit 760 which includes a high current power supply 762 (e.g. avoltaic cell or battery of voltaic cells) and a switch 764 in the formof a solid state relay. The solid state relay 764 itself connects withcontrol circuitry including a micro-controller 770 having an independentpower supply 772. The micro-controller 770 itself connects with pressuretransducer 780 which has an input in the form of a pressure tube 782located within the dispensing outlet 772 of the inhaler housing 770.

It may be appreciated that current flow to the refill seat 730, valveseat 740 and wires 750 a, 750 b, and hence actuation of the valvedispensing mechanism may be achievable as follows. The patient inhalesthrough the mouthpiece 772 resulting in a change in pressure within thehousing 770 and pressure tube 782. The change in pressure is detected bythe pressure transducer 780 which sends a signal to the micro-controller770. The micro-controller 770, in turn sends a switching signal to thesolid state relay 764 which results in closing of the actuation circuitand electrical current flow therethrough. The resulting contraction ofthe shape memory alloy wires 750 a, 750 b causes actuation of the valvedispensing mechanism 722 and hence, dispensing of medicament to theinhaling patient.

It may also be seen in FIG. 10 that the micro-controller 770 isconnected to a display 774 for display of information to the patient andalso with a computer interface 776 for exchange of data therewith. Allcircuitry and components thereof including the power supplies 762, 772and display 774 may be arranged to be present on the housing 770 suchthat the system is in the form of a discrete, hand-held device.

FIG. 11 shows a medicament dispenser 800 containing a refill cartridge802 in accord with a further embodiment of the present invention. Themedicament refill cartridge 802 comprises a flexible strip 804 defininga plurality of pockets each of which contains a discrete dose ofmedicament. The doses may be in the form of tablets, capsules, doses ofpowder which can be inhaled, etc.

The strip 804 comprises a base sheet in which blisters are formed todefine the pockets and a lid sheet which is hermetically sealed to thebase sheet except in the region of the blisters in such a manner thatthe lid sheet and the base sheet can be peeled apart. The lid and basesheets are each preferably formed of a plastics/aluminium laminate andare preferably adhered to one another by heat sealing.

FIG. 11 shows the internal mechanism of medicament dispenser 800 in thesituation where the majority of the pockets of the refill strip 804 arestill filled with medicament. The internal mechanism comprises an indexwheel 806 and a lid-winding spool 808 for winding the used portion ofthe lid sheet. The index wheel 806 has a plurality of recesses extendingparallel with the axis of the wheel. The recesses are spaced at a pitchwhich is equal to the distance between the centre lines of adjacentpockets in the refill strip 804.

The refill 802 includes an internal area for the medicament strip 802 tobe coiled in prior to use of the doses contained inside it. Thedispenser comprises an area where the used base and lid of themedicament carrier strip 804 is collected. After complete usage, theused base may be rewound back into refill automatically prior to removalof the refill.

The dispensing system 800, 802, includes an electronic data managementsystem 810, including all electronic components and electricalconnections, as described above in detail, and is adapted for dockingwith a corresponding docking station as described in detail above.

The refill 802 includes a data module 812 in the form of a chip, asdescribed above, which interfaces with the data management system 810when the refill 802 is inserted in the dispenser 800, via a hingedinsertion door 814, which is secured in place by means of a catch 816.On insertion of the refill, the lid sheet is wrapped around spool 808and the base sheet, containing the pockets of medicament, is inserted intransport passage 818 of the dispenser. Spool 808 and/or index wheel 806are revolved, by means of a motor controlled by data management system810 a predetermined amount for each dispensing operation. As thedispensing operation occurs, a new dose of medicament is presented atoutlet 820 for consumption by the patient.

Medicament dispensers of the present invention are in one aspectsuitable for dispensing medicament for the treatment of respiratorydisorders such as disorders of the lungs and bronchial tracts includingasthma and chronic obstructive pulmonary disorder (COPD).

Appropriate medicaments may thus be selected from, for example,analgesics, e.g., codeine, dihydromorphine, ergotamine, fentanyl ormorphine; anginal preparations, e.g., diltiazem; antiallergics, e.g.,cromoglycate (e.g. s the sodium salt), ketotifen or nedocromil (e.g. asthe sodium salt); antiinfectives e.g., cephalosporins, penicillins,streptomycin, sulphonamides, tetracyclines and pentamidine;antihistamines, e.g., methapyrilene; anti-inflammatories, e.g.,beclomethasone (e.g. as the dipropionate ester), fluticasone (e.g. asthe propionate ester), flunisolide, budesonide, rofleponide, mometasonee.g. as the faroate ester), ciclesonide, triamcinolone (e.g. as theacetonide) or6α,9α-difluoro-11β-hydroxy-16α-methyl-3-oxo-17α-propionyloxy-androsta-1,4-diene-17β-carbothioicacid S-(2-oxo-tetrahydro-furan-3-yl) ester; antitussives, e.g.,noscapine; bronchodilators, e.g., albuterol (e.g. as free base orsulphate), salmeterol (e.g. as xinafoate), ephedrine, adrenaline,fenoterol (e.g. as hydrobromide), formoterol (e.g. as fumarate),isoprenaline, metaproterenol, phenylephrine, phenylpropanolamine,pirbuterol (e.g. as acetate), reproterol (e.g. as hydrochloride),rimiterol, terbutaline (e.g. as sulphate), isoetharine, tulobuterol or4-hydroxy-7-[2-[[2-[[3-(2-phenylethoxy)propyl]sulfonyl]ethyl]amino]-ethyl-2(3H)-benzothiazolone;adenosine 2a agonists, e.g.2R,3R,4S,5R)-2-[6-Amino-2-(1S-hydroxymethyl-2-phenyl-ethylamino)-purin-9-yl]-5-(2-ethyl-2H-tetrazol-5-yl)-tetrahydro-furan-3,4-diol(e.g. as maleate); α₄ integrin inhibitors e.g.(2S)-3-[4-({[4-(aminocarbonyl)-1-piperidinyl]carbonyl}oxy)-phenyl]-2-[((2S)-4-methyl-2-{[2-(2-methylphenoxy)acetyl]amino}pentanoyl)-amino]propanoicacid (e.g. as free acid or potassium salt), diuretics, e.g., amiloride;anticholinergics, e.g., ipratropium (e.g. as bromide), tiotropium,atropine or oxitropium; hormones, e.g., cortisone, hydrocortisone orprednisolone; xanthines, e.g., aminophylline, choline theophyllinate,lysine theophyllinate or theophylline; therapeutic proteins andpeptides, e.g., insulin or glucagon; vaccines, diagnostics, and genetherapies. It will be clear to a person skilled in the art that, whereappropriate, the medicaments may be used in the form of salts, (e.g., asalkali metal or amine salts or as acid addition salts) or as esters(e.g., lower alkyl esters) or as solvates (e.g., hydrates) to optimisethe activity and/or stability of the medicament.

Preferred medicaments are selected from albuterol, salmeterol,fluticasone propionate and beclomethasone dipropionate and salts orsolvates thereof, e.g., the sulphate of albuterol and the xinafoate ofsalmeterol.

Medicaments can also be delivered in combinations. Preferredformulations containing combinations of active ingredients containsalbutamol (e.g., as the free base or the sulphate salt) or salmeterol(e.g., as the xinafoate salt) or formoterol (e.g. as the fumarate salt)in combination with an anti-inflammatory steroid such as abeclomethasone ester (e.g., the dipropionate) or a fluticasone ester(e.g., the propionate) or budesonide. A particularly preferredcombination is a combination of fluticasone propionate and salmeterol,or a salt thereof (particularly the xinafoate salt). A furthercombination of particular interest is budesonide and formoterol (e.g. asthe fumarate salt).

The medicament dispenser of the present invention in other embodimentscomprises a syringe for the delivery of injectable medicament to apatient. Traditional syringes rely on puncturing of the patient's skinby a hollow needle through which the injectable medicament (in solutionor suspension form) is delivered to the muscle or tissue of the patient.Recently developed needleless systems for the delivery of injectablesemploy high velocity injection of particle formulated drugs or vaccinethrough the skin and into any physically accessible tissue. Otherneedleless systems employ similar high velocity injection of drug orvaccine coated on to a suitable carrier particle.

It will be understood that the present disclosure is for the purpose ofillustration only and the invention extends to modifications, variationsand improvements thereto.

In alternative embodiments, there is no docking station situated in thepatient home or other environment. However a docking station 6 asdescribed may be provided in a health care provider location, such as inpatient clinic, physician's surgery or pharmacist. In this, and otheralternative embodiments, the dispenser contains a sealed long-lifebattery.

In the above embodiments, the service provider authentication anddecryption procedures for updates messages are carried out by thedispenser 2. In an alternative embodiment, the authentication and/ordecryption is performed by the docking station 6.

In the above embodiments, the refill is filled with medicament at thesite of manufacture. In an alternative embodiment, the refill may befilled in pharmacy, and its memory written to with data identifying itscontents and expiry date therefore.

In the above embodiments, authentication is performed by means ofencryption/decryption and by means of digital signature checking. Otherknown methods of authentication may also, or alternatively be used.Herein the term digital signature is intended to include digitalcertificates, which also provide means of authentication.

In the above embodiments, the docking station must first establish aconnection with the network server in order for update and displaymessages to be sent to the patient. Other means of delivery of messages,in particular push messages sent by the server at a time determined bythe server, may be sent in other formats, for example by means ofcellular telephony SMS messages, and to other devices, such as cellularradio devices.

In this description, and in the following claims, the devices involvedin the present invention include a dispenser and a refill. It is to benoted that the dispenser is not limited to a device comprising amedicament outlet; the outlet may be provided on the refill. Thedispenser is a device containing elements for the control of adispensing operation in which medicament, originally contained in therefill, is dispensed.

1. A method of controlling the functioning of a portable medicamentdispenser, said portable medicament dispenser being for use with arefill container, the refill container being insertable in saidmedicament dispenser in order to perform dispensing of medicament fromsaid refill container, said method comprising: (a) providing a memoryfor storing one or more parameters relating to the functioning of saiddispenser; (b) storing authentication data for authenticating data forcontrolling a function of said dispenser; (c) receiving control data forsaid dispenser in said refill container; (d) upon insertion of saidrefill container in said medicament dispenser, performing authenticationin said refill container of the control data using said storedauthentication data; (e) in dependence on a result of theauthentication, activating one or more parameters in said memory tocontrol functioning of said dispenser in accordance with said controldata and (f) transferring the control data from the refill container tothe dispenser to direct the dispenser to operate according to thecontrol data.
 2. A method according to claim 1, wherein the step ofauthentication comprises checking a code accompanying the control data.3. A method according to claim 2, wherein said authentication datacomprises an encryption key whereby said code is checked.
 4. A methodaccording to claim 2, wherein said code comprises a digital signatureformed by digital signature generation from said control data.
 5. Amethod according to claim 1, wherein the step of authenticationcomprises decryption of said control data.
 6. A method according toclaim 5, wherein said authentication data comprises an encryption keywhereby said control data is decrypted.
 7. A method according to claim6, wherein said encryption key used for decryption of said control datais a shared secret key.
 8. A method according to claim 1, wherein theauthentication comprises a cryptographic challenge/response procedure.9. A method according to claim 1, wherein said step of authenticationfurther comprises performing authentication in said portable medicamentdispenser.
 10. A method according to claim 1, wherein said portablemedicament container is for use with a docking station, and wherein saidstep of authentication further comprises performing authentication insaid docking station for said dispenser.
 11. A method according to claim1, wherein said portable medicament dispenser is for use with a node ofa data communications network, and wherein said control data comprisescontrol data received from said network node.
 12. A method according toclaim 1, wherein said control data comprises data arranged to control adose count function of said dispenser.
 13. A method according to claim1, wherein said control data comprises data arranged to control areminder function of said dispenser.
 14. A method according to claim 1,wherein said control data comprises data arranged to control a dosageamount during a dispensing operation.
 15. A portable medicamentdispenser, said portable medicament dispenser comprising a refillcontainer which is insertable in said medicament dispenser in order toperform dispensing from said refill container, said dispensercomprising: (a) a memory for storing one or more parameters relating tothe functioning of said dispenser; (b) means for storing authenticationdata for authenticating data for controlling a function of saiddispenser; (c) means, in said refill container, for receiving controldata for said dispenser; (d) means, in said refill container, forperforming authentication of the control data using said storedauthentication data; (e) means for, in dependence on a result of theauthentication, activating one or more parameters in said memory tocontrol functioning of said dispenser in accordance with said controldata characterized in that in use, said refill container stores saidcontrol data and following said authentication, and said control data istransferred from said refill container to said dispenser.
 16. A portablemedicament dispenser according to claim 15, wherein said means (d)comprises means for checking a code accompanying the control data.
 17. Aportable medicament dispenser according to claim 16, wherein saidauthentication data comprises an encryption key whereby said code can bechecked.
 18. A portable medicament dispenser according to claim 16,wherein said code comprises a digital signature formed by digitalsignature generation from said control data.
 19. A portable medicamentdispenser according to claim 15, wherein said means (d) comprises meansfor decryption of said control data.
 20. A portable medicament dispenseraccording to claim 19, wherein said authentication data comprises anencryption key whereby said control data can be decrypted.
 21. Aportable medicament dispenser according to claim 20, wherein saidencryption key used for decryption of said control data is a sharedsecret key.
 22. A portable medicament dispenser according to claim 15,wherein said means (d) comprises means for performing a cryptographicchallenge/response procedure.
 23. A portable medicament dispenseraccording to claim 15, wherein said dispenser further comprises meansfor performing authentication in said portable medicament dispenser. 24.A portable medicament dispenser according to claim 15, further includinga docking station, and wherein said docking station comprises means forperforming authentication in said docking station.
 25. A portablemedicament dispenser according to claim 15, wherein said portablemedicament dispenser is for use with a node of a data communicationsnetwork, and wherein said control data comprises control data receivedfrom said network node.
 26. A portable medicament dispenser according toclaim 15, wherein said control data comprises data arranged to control adose count function of said dispenser.
 27. A portable medicamentdispenser according to claim 15, wherein said control data comprisesdata arranged to control a reminder function of said dispenser.
 28. Aportable medicament dispenser according to claim 15, wherein saidcontrol data comprises data arranged to control a dosage amount during adispensing operation.
 29. A system for controlling the functioning of aportable medicament dispenser, said system including a network node, aportable medicament dispenser and a refill container which is insertablein said medicament dispenser in order to perform dispensing ofmedicament from said refill container, wherein said network node isconnected to a communications network and has access to a database forstoring one or more parameters relating to the functioning of saiddispenser, said system comprising (a) means for generating control datafor said dispenser using said one or more parameters; (b) means forgenerating authentication data based on said control data to produceauthenticatable control data; and (c) means for transmitting saidauthenticatable control data to be transmitted to said dispenser, so asto allow authentication of the generated control data, characterised inthat said system further comprises: means for receiving saidauthenticatable control data in said refill container; and means forperforming authentication of the control data in said refill container,and in that said refill container is adapted to store said control datafollowing said authentication, such that said control data can betransferred to said memory following insertion of said refill containerinto said dispenser.
 30. A system according to claim 29, furtherincluding a docking station for said medicament dispenser, and whereinsaid system further comprises means for transmitting saidauthenticatable control data to said docking station.